This article on Infoworld.com identifies that Bluebox Security’s 2015 Payment App Security Study found insufficient security in two P2P apps and three one-click store specific mobile apps:
“U.S. retailers are ramping up for the holiday shopping season, but shoppers should think twice before paying with mobile payment apps such as Apple Pay and Venmo, a study warned. Bluebox Security’s 2015 Payment App Security Study found that security was lacking in at least 10 popular mobile payment apps for Android and iOS.
Bluebox Security decided not to reveal the names of offending apps to protect individual shoppers using them from attack. Instead, the report focused on the types of flaws found.
Consumers may not realize “they are opting for the convenience of on-the-go payments over the security imparted by traditional methods like cash or checks, ultimately putting their dollars at risk,” said Andrew Blaich, lead security analyst at Bluebox Security.
In every app reviewed, security was “remarkably basic.” The apps in the study lacked enterprise-grade protections to safeguard financial transactions. For example, none of the apps had antitampering controls to prevent payments from being manipulated. None of the apps encrypted data written to disk, meaning authentication data, transaction history, and other personal information was readily available to attackers with access to the device.
Bluebox Labs selected and tested five payment apps available for both Android and iOS. Two were peer-to-peer payment apps used to send monetary gifts to friends and family, and three were one-click merchant apps from leading retailers. The apps were selected based on searches for top mobile payment apps and app store rankings. Bluebox also ran the apps on both jailbroken and nonjailbroken devices to understand how that affected overall security.”
The testing found a range of security failures:
“Every app was vulnerable to tampering that would allow funds to be routed from the user’s account to one controlled by the attacker. Any attacker with minor skill and access to the app from an app store can modify the app, including adding malware/spyware into the original code, and none of the payment apps examined in the study had any code integrity checks. This is troubling, considering that P2P payment apps are not FDIC insured; if the money gets lost, there is no consumer protection.
Bluebox Security found one good security practice: One of the apps used certificate pinning to protect data in transit to its cloud servers. Certificate pinning helps mitigate man-in-the-middle attacks. However, since the app did not have antitampering controls, attackers would be able to disable certificate pinning.Only two Android apps obfuscated code. None of the iOS apps did. Obfuscation “should be a standard practice across all payment apps,” Bluebox Security said. Three Android apps and three iOS apps had debug and admin messages still turned on, which is another basic developer mistake.”
The full white paper from Bluebox can be found here. Of course we trust that Apple Pay, Android Pay and Samsung Pay have implemented far more robust security, but it is disheartening to learn that major corporations have published mobile payment applications that fail to incorporate basic security.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here